Trusted Platform Modules (TPMs) are small, inexpensive chips which provide a limited set of security functions. They are most commonly found as a motherboard component on laptops and desktops aimed at the corporate or government markets, but can also be found on many consumer-grade machines and servers, or purchased as independent components. Their role is to serve as a Root of Trust - a highly trusted component from which we can bootstrap trust in other parts of a system. TPMs are most useful for three kinds of tasks: remotely identifying a machine, or machine authentication; providing hardware protection of secrets, or data protection; and providing verifiable evidence about a machine's state, or attestation. This book describes the primary uses for TPMs, and practical considerations such as when TPMs can and should be used, when they shouldn't be, what advantages they provide, and how to actually make use of them, with use cases and worked examples of how to implement these use cases on a real system. Topics covered include when to use a TPM; TPM concepts and functionality; programming introduction; provisioning: getting the TPM ready to use; first steps: TPM keys; machine authentication; data protection; attestation; other TPM features; software and specifications; and troubleshooting. Appendices contain basic cryptographic concepts; command equivalence and requirements charts; and complete code samples.

One of the major problems with trusted computing adoption has been a lack of good introductory information. People wondering what this technology is, why they should care about it, or how they should get started using it have generally not had very many resources to turn to. In this book, I will begin with the most basic questions of what the technology is; talk about when this technology is most useful (and, equally important, when it's not); and then start introducing the technical details of why and how to use the technology. If you're still at the stage of wondering if this technology is relevant to you, start with the first couple of chapters; there's enough complexity here that a classic engineer's `jump in feet first' approach is inefficient. If you're familiar with the basics of trusted computing technology already, Chapters 4 and up will provide you with useful reference material, but you may also find new ideas for how trusted computing can be applied in your environment in Chapter 2. This book is intended for a technical audience, but not one with any particular familiarity with trusted computing, hardware, or security concepts.

TPMs are most useful for three kinds of tasks: remotely identifying a machine, or machine authentication; providing hardware protection of secrets, or data protection; and providing verifiable evidence about a machine's state, or attestation. Each of these categories covers a wide range of real-world applications, and some applications take advantage of multiple categories. In all cases, it's important to consider whether a TPM is the best tool for the job. TPMs are ubiquitous among enterprise computers, and have zero or minimal additional purchase costs, in contrast to smart cards or high-end cryptographic coprocessors. They have a number of specialized functions which can be very powerful in enterprise environments, and which are hard to find elsewhere. However, TPMs are also slow and not suitable for rapid, bulk operation. Using them, at least today usually requires investing in specialized software, often written in-house; in some cases, they even require custom changes to an enterprise's PKI. If you have a single use case which could use the TPM and a more widely deployed technology equally well, you may consider the overhead costs of setting up and integrating TPMs a negative deciding factor. However, if your enterprise is well placed to take advantage of several TPM features in diverse applications, the net benefits from TPM integration may well justify the initial overhead costs; if TPM deployment is done well once, the cost of each additional use case will be quite small.

This chapter discussed the concepts and functionality of trusted platform modules. TPMs are designed to have an owner: a single party, which could be a person for a consumer TPM or an entire IT department for an enterprise machine, who is responsible for configuring the TPM appropriately. The TPM owner is not equivalent to a root or administrator account in an OS; the owner cannot read secrets belonging to other TPM users, or use the owner password to bypass other access controls. The owner does, however, have a few useful unique powers compared to other users.

Provisioning generally has two goals: setting up the necessary initial configuration and establishing trust in the TPM. TPMs today do not come ready to use. Every TPM, whatever the version, needs to have some initial values provisioned before the TPM can generate and use keys; without keys, none of the TPM's features work. What the initial values are varies from version to version. Provisioning can in some cases also determine who has permission to use certain TPM functionality.

At the core of the TPM's functionality are its keys. All of the TPM's ability to provide authentication, attestation, and data protection services are built around its secure keys. Before you can use the TPM for the vast majority of applications, you'll need to know how to work with its keys. In this section, I'll discuss just what we mean by `secure' in more detail, and why TPM keys are both tremendously powerful and sometimes tremendously inconvenient. I'll also discuss the various types of key, how to create them, and how to use them. (I'll go into much more detail about which keys to use when, in later chapters, we discuss various use cases.) You may be thinking, `In the provisioning chapter, I just created my root/primary keys; aren't those going to be enough?' The short answer for 1.2 TPMs is: only for a very limited set of applications, mostly having to do with local data storage: the root keys are specialized in order to be maximally secure. For 2.0 TPMs, primary keys can be more flexible, but owing to the limitations of the TPM's internal space, if you're using the TPM for a variety of applications you'll almost certainly want non-primary keys as well. And regardless, you'll still need to know something about how to use TPM keys even if you just use the root or primary keys.

Authentication, in this context, refers to the verification of identity data in the form of a cryptographic key. Machine authentication is thus all about identifying a machine via its keys. This is particularly effective in a TPM context because the cryptographic keys are usable inside the TPM itself, and the TPM is attached to the motherboard; in some cases, the TPM is even a subset of the CPU. This means that if you can prove that a set of keys belonging to a given TPM was used, the machine that TPM is attached to must have been involved.1 Machine authentication is therefore a property we effectively get for free with many TPM applications. Any use case where a remote party is verifying a TPM key can be used for machine authentication.

Attestation, as we discussed briefly in Chapter 2, is the presentation of verifiable evidence about machine state to an appraiser, who can decide whether or not the state is acceptable. Our focus will be on remote attestation, where the appraiser is on a different machine, for two reasons. First, the vast majority of interesting attestation use cases are those where we want a machine to prove to an external party that it is trustworthy. Second, local attestation often presents a unique challenge: if one is trying to decide whether one can trust the machine one is using, how can you be certain your ability to determine what state is acceptable has not been modified? As a result, local attestation tends to take two forms: boot-time protections, where the state of the next piece of software to load is being assessed and the boot process may be halted if the software is not approved, and the very rare temporal attestation, where one is verifying the state of the machine at some previous time when some particular action was taken.

This chapter discusses many of the TPM's small but useful features that didn't fit well elsewhere in this book. Nothing in this chapter is critical for making use of theTPM; however, everything here serves a useful purpose in certain circumstances. We'll begin with the functions with the broadest applicability, including clearing the TPM of data, using the TPM's RNG, managing the TPM's internal configuration information, and creating an archive. Later in this chapter, we'll cover more specialpurpose features such as monotonic counters, delegation, and timing capabilities.

This book is designed as an introductory text to the world of TPMs and trusted computing, but it's far from the whole story. In this chapter, we'll discuss where to find additional resources of many kinds. These resources include software libraries to support use of the TPM, which are useful for implementing simple applications and generally giving TPM use a try; books and other materials that will help you learn more about related topics; and, for those who need to delve deeper, the specifications themselves, with an account of how to get the most out of them. Because so many of the resources referred to here are online, there is a high probability that some of the links will become obsolete at some point during the lifetime of this book. Updated links, along with other errata and additional content, will be available at http://digital-library.theiet.org/content/books/pc/ pbpc013e.

This chapter gives troubleshooting tips in the following scenarios: when all else fails; there's no TPM in the BIOS menu; trouble getting any software working; TSS 1.2 code returning errors; and problems using TPM data structures.

Over the course of this book, I've provided a basic introduction to TPMs, and how they can be used both directly and in a range of personal and enterprise contexts. I've discussed the TPM's primary functions at length: secure key storage, trusted cryptographic functionality, and reliable reporting of stored data. I've covered how TPMs need to be provisioned before use, and how establishing trust in a TPM can in some cases be a highly sensitive operation. I've discussed the different capabilities of different types of TPM keys, how to choose the correct key for an application, and how to set up appropriate access constraints. I've introduced many useful functions of the TPM, both well known and obscure, and provided guidance on how and when to use them. I've also shown how the TPM relates to the Roots of Trust for Measurement, the pros and cons of various measurement options, and how measurements can be used in the TPM.

These charts are intended to serve two quite unrelated purposes. The first is to allow someone who has a particular PC TPM to discover which commands will definitely be supported, which won't, and which may or may not be, depending on the manufacturer. The second is to provide a convenient reference for implementers using multiple TPM versions or programming abstraction levels. The first chart is organized by TPM 1.2 commands. For each command, the chart indicates whether the command is required; the TSS 1.2 TSPI functions, if any, that provide equivalent or overlapping functionality; and the TPM 2.0 commands which are the closest equivalents, if any are close at all. In some cases, where TPM 2.0 has introduced new but related functionality, I'm including it, so that those interested can look into the details and decide if it's useful to them. The second chart is organized by TPM 2.0 commands. For each command, the chart indicates whether the command is required. Note that many TPM 2.0 commands show up in the second chart but not the first; these are commands for which there is no real 1.2 equivalent.

Throughout most of the book, the code examples were presented as excerpts with explanations. Because it can sometimes be hard to work out how those excerpts come together, this appendix includes several complete programs. The 1.2 TSS examples are demonstration programs to show how several TPM functions work in combination. The 2.0 TSS examples are single-purpose utilities for production use that come with the IBM TSS 2.0 package, and are included with the kind permission of the author.